Who Controls Your DeFi Deposits?
A cross-chain governance audit found that what DeFi users are told and what is actually happening on-chain are not the same thing; without governance safeguards, nothing constrains the gap.
Who Controls Your DeFi Deposits?
Note: The GitHub report is the canonical version and reflects corrections since publication. See the errata section in the GitHub report.
Note added April 22, 2026: Since publication, Aave has been affected by the KelpDAO rsETH bridge exploit. An attacker used a single-signer bridge (1-of-1 DVN on LayerZero) to mint ~116,500 rsETH with no backing, then deposited it on Aave as collateral to borrow ETH. Aave faces up to $230M in bad debt from this incident.
This does not contradict the findings in this report. The Governance Risk Index measures admin power over user funds: what the admin can do without your consent. It does not measure asset listing risk, oracle risk, or the risk that a listed asset’s backing can be compromised externally.
Aave’s governance behaved exactly as the GRI predicts. The Guardian froze rsETH markets within hours of the exploit. A detailed incident report was published on the public governance forum. Any remediation will go through community vote with timelocks. No single admin is modifying user balances without consent.
What the incident does suggest is a complementary risk category the GRI does not cover: the diligence protocols apply when listing assets whose backing depends on external trust assumptions, including single-signer bridges. The report’s “Trust Dependencies Stack” section flags bridges as one of DeFi’s escalating attack surfaces. This incident illustrates that broader point, and is a reminder that robust governance is necessary but not sufficient for user safety.
The full technical report on GitHub will be updated with a dedicated errata entry.
A cross-chain governance audit found that what DeFi users are told and what is actually happening on-chain are not the same thing; without governance safeguards, nothing constrains the gap.
Six major lending protocols. Two blockchains. One question: what can the admin do to your funds without your consent, and would you know if they did it?
The answer, for most protocols on Solana, is: more than you think, and no.
How this started
On April 1, 2026, Drift Protocol on Solana was drained of $285 million. The attack wasn’t a smart contract bug. It was a six-month social engineering operation, building fake relationships to gain access to the people who controlled the system: the Solana accounts, the keys. Once the attackers gained the trust of those in charge of Drift, they deployed their trap. Then, in minutes, the funds were gone.
A friend of mine had deposits on Project 0 (formerly MarginFi V2), which had invested user funds into Drift. After the exploit, their funds disappeared from the Project 0 interface. The portfolio showed $0, 100% health. No explanation, no notification, no trace that a position had ever existed.
I spent five hours with an AI coding agent digging through raw blockchain data to find out what happened. What I found didn’t match what the public had been told. That discrepancy prompted a broader question: is this kind of admin power normal across DeFi lending, or is it an outlier?
I spent the next three days finding out.
The Governance Risk Index
I built a 10-dimension Governance Risk Index (GRI) measuring how much unconstrained admin power each protocol retains, then applied it identically across all six protocols. The dimensions cover who holds the power to change the rules, how long users have to react, and whether there are limits on what the admin can do to your balance. Lower is better: a low GRI means tighter constraints on admin power.
The divide falls along chain lines. Both Ethereum protocols use timelocked governance: every change to the protocol’s rules is publicly visible for 1 to 2 days before it takes effect, and a separate safety committee can cancel anything suspicious during that window. No Solana protocol in the survey has this kind of delay-and-review mechanism. Every admin action executes in a single block, instantly, with no observation window.
This gap is not a technical limitation of Solana. The tools exist: special wallets that need many people to agree to a change are deployed and working, and timelock contracts can be built. The gap is cultural and normative. The Ethereum ecosystem, shaped by historical governance failures and years of iterative improvement, developed strong norms around timelocked governance. The Solana ecosystem has not yet developed equivalent norms.
The GRI measures the structural properties of the code, what the admin powers permit, not a judgment on the people holding the keys. A protocol with broad admin powers and a trustworthy team still has broad admin powers. The rubric is published in full in the repository for anyone to apply to protocols not covered in this survey.
The gap between announcement and reality
The most detailed finding concerns Project 0’s handling of the Drift fallout. Here the question stops being abstract.
Project 0 publicly announced approximately $1.9 million in losses spread across all depositors’ balances: 1% for stablecoins and SOL, 2.61% for Bitcoin and Ethereum holdings, and 6.62% for smaller tokens. Operations resumed around April 5. MacBrennan, Project 0’s founder, stated that as Drift assets were recovered, they would be distributed to “socialized lenders”, his term for the users who received percentage reductions.
The on-chain state tells a different story.
The percentage reductions broadly align with what was announced. But the largest single category of loss, 198 users whose positions were not marked down but erased entirely, does not appear in any public communication. The admin action scrubbed any sign these deposits ever existed from the users’ portfolio view, and there was no notification that it happened. The underlying $5.02 million in deposits remains on Drift’s books under Project 0’s admin control.
MacBrennan’s public statements frame recovery in terms of distributing Drift assets to “socialized lenders”, the users who received percentage reductions. The 198 purged users are not “socialized lenders”. The protocol’s own records no longer show that these users hold those positions.
The full forensic evidence (transaction signatures, account addresses, source code references, and a per-user deposit reconstruction tool) is in the report.
Beyond one protocol
The Project 0 finding is the most striking case, but the governance gap is systemic. Every Solana lending protocol in this survey allows admin actions that execute instantly with no timelock, no public observation window, and no cancellation mechanism. Drift’s own exploit is the proof: a delay-and-review system would have forced those transactions to sit in a public queue for days before executing, giving the community time to spot the attack and cancel it. Instead, the vaults were emptied in minutes.
In traditional finance, an institution that modified customer account balances without providing a clear record to the account holder would face regulatory enforcement and potentially criminal liability. Those protections exist because of the power asymmetry: the intermediary can do things to your funds that you cannot prevent or observe. DeFi was designed to eliminate that asymmetry. Where admin keys retain that power without equivalent transparency, the user is worse off than they would be in the traditional system: the same exposure, with none of the regulatory safeguards.
How this was done
One person directed an AI coding agent (Claude Opus 4.6 via Claude Code) to carry out this entire investigation: reading six protocol codebases across two smart contract programming languages, building tools to query live blockchain data, and producing a comparative governance risk index across all six protocols. It took roughly 20 hours across three days.
That should concern any protocol relying on the assumption that users won’t read their source code or look at what’s actually happening on the blockchain. What took weeks of specialist security work two years ago now takes days with AI assistance. The window during which obscurity is a viable security strategy is closing.
A personal note
I should declare a bias. Before this investigation, I was publicly arguing that Solana was undervalued: that its throughput and efficiency justified a higher market capitalisation than the market was giving it. I wasn’t looking for governance problems. I was a participant who believed in the ecosystem.
The governance gap documented in this report was an unexpected finding, not a hypothesis I set out to confirm. But it has helped me understand something I couldn’t explain before: why sophisticated capital might price in a discount that raw throughput metrics don’t justify. The decentralisation is part of the value. Where protocols are decentralised in name but centralised in admin power, the market may already be reflecting that.
This report is pro-DeFi. The aim is reformation, not abolition. The strongest outcome is one where publishing a Governance Risk Index creates competitive pressure for protocols to improve; protocols that refuse to relinquish unnecessary admin powers then lose capital to those that do.
What should you do?
If you use DeFi: Check your protocol’s admin structure. The report includes a step-by-step guide. The minimum standard you should accept is a “timelocked multisig”: a system where many people must agree to a change, with a mandatory delay before it takes effect, and where the signers are publicly identified. If you use Project 0 and you suspect your portfolio is missing positions, check the GitHub repository; it includes a tool that shows whose coins were purged from their portfolio.
If you build DeFi: Move up the governance maturity curve. Put every key with balance-affecting power behind a multisig. Add a timelock. Build safety rules directly into the code that no admin can override.
If you govern a chain ecosystem: Condition ecosystem support on governance commitments. Capital will migrate to ecosystems with stronger governance norms.
The full technical report (methodology, Governance Risk Index, per-protocol analysis, on-chain data, and tools for affected users) is at:
github.com/NickRHill/defi-governance-audit
All findings are derived from public source code and public blockchain state. Every claim is independently verifiable.
Nick Hill, governance-audit@nickhill.co.uk